Home > Exploit Dev/Reverse Engineering > 0day DoS: Mikrotik Server side DoS attack

0day DoS: Mikrotik Server side DoS attack

Intro..

After exploring the winbox clientserver protocol, i wanted to find some ways to get rid of winbox service and winbox client…
This finding, has to do only with the mikrotik router, who has winbox service running (on port 8291 or in any other port)
On my try to make a test on the server, in order to cause a lot of traffic, i saw the service being unstable, causing various probs to whole router. The minimum prob was the 100% cpu load, but there are various probs depending on hardware and routeros version. The exploit’s logic is very simple, and the winbox protocol analysis is simple too.So it made me identify that vulnerability very easy. The vulnerability found while trying to download a DLL/plugin file from mikrotik router (just like winbox client does) and choose a big file, and request the 1st part of it many times.. That is what causes the DoS. The only file needed here is the .py script, and it is tested on python 2.4 and 2.7 versions.

More details, download and usage, are below.. :

Vulnerability Description
===========================
The denial of service, happens on mikrotik router’s winbox service when
the attacker is requesting continuesly a part of a .dll/plugin file, so the service
becomes unstable causing every remote clients (with winbox) to disconnect
and denies to accept any further connections. That happens for about 5 minutes. After
the 5 minutes, winbox is stable again, being able to accept new connections.
If you send the malicious packet in a loop (requesting part of a file right after
the service becoming available again) then you result in a 100% denial of winbox service.
While the winbox service is unstable and in a denial to serve state, it raises router’s CPU 100%
and other actions. The “other actions” depends on the router version and on the hardware.
For example on Mikrotik Router v3.30 there was a LAN corruption, BGP fail, whole router failure
=> Mikrotik Router v2.9.6 there was a BGP failure
=> Mikrotik Router v4.13 unstable wifi links
=> Mikrotik Router v5.14/5.15 rarely stacking
=>>> Behaviour may vary most times, but ALL will have CPU 100% . Most routers loose BGP after long time attack <<

The exploit
=============
This is a vulnerability in winbox service, exploiting the fact that winbox lets you download files/plugins
that winbox client needs to control the server, and generally lets you gain basic infos about the service BEFORE
user login!
Sending requests specially crafted for the winbox service, can cause a 100% denial of winbox service (router side).
This script, offers you the possibility to download any of the dlls that can be downloaded from the router one-by-one
or alltogether! (look usage for more info) .. The file must be contained in the router’s dll index.
The dlls downloaded, are in the format of the winbox service.. Meaning that they are compressed with gzip and they
have 0xFFFF bytes every 0×101 bytes (the format that winbox client is expecting the files)
These DLLs can be used by the “Winbox remote code execution” exploit script ;)

Download script here: mkDl

Usage
=======
Try running the script without arguments to see usage.. or
Use the script as described below:
1. You can download ALL the files of the router’s dll index using the following command:

python mkDl.py 10.0.0.1 * 1

the “1″ in the end, is the speed.. “Speed” is a factor I added, so the script delays a bit while receiving
information from the server. It is a MUST for remote routers when they are in long distance (many hops) to use
a slower speed ( 9 for example ).
Also in the beginning of the dlls file list, script shows you the router’s version (provided by router’s index)
2. You can download a specific .dll file from the remote router.

python mkDl.py 10.67.162.1 roteros.dll 1

In this example i download roteros.dll (which is the biggest and main plugin) with a speed factor of 1 (very fast)
Because roteros and 1-2 other files are big, you have to request them in different part (parts of 64k each)
That is a restriction of winbox communication protocol.
If you don’t know which file to request, make a “*” request first (1st usage example), see the dlls list, and press ctrl-c
to stop the script.
3. You can cause a Denial Of Service to the remote router.. Means denial in winbox service or more (read above for more)

python mkDl.py 10.67.162.1 DoS

This command starts requesting from router’s winbox service the 1st part of roteros.dll looping the request
and causing DoS to the router. The script is requesting the file till the router stops responding to the port (8291).
Then it waits till the service is up again (using some exception handling), then it requests again till the remote service is down again etc etc… The requests lasts for about 2 seconds, and the router is not responding for about 5 minutes as far as i have seen from my tests in different routeros versions.

A PoC video with DoS and download files feature.. :

 

 

 

  1. PoURaN
    April 30th, 2012 at 22:55 | #1

    ErebusBat reported an error in python 2.7.1 on lion osx .. There was a weird behaviour in the DoS loop where there wasn’t flood with the “- Sending evil packet.. press CTRL-C to stop -” as expected and there was not DoS at all.. I’ll keep you updated when i check Lion myself :)
    Btw works fine as tested on windows python 2.7 and backtrack 5..

  2. PoURaN
    May 1st, 2012 at 12:22 | #2

    Finaly the prob in mac lion was just the spacing of the file and specific in lines 205-211 make again in mac the spacing inside coda.. and it will be ok ;)

  3. May 1st, 2012 at 13:56 | #3

    PoURaN~

    This is confirmed fixed on my box now. Also for your list…. this absolutely kills the winbox service on my 493G/ROS 5.5 however I saw no depreciable change in traffic flow.

    I tested my traffic flow by SCPing a large file from my laptop (LAN SIDE) to a server on the WAN side of the Mikrotik.

    However you could lock admins out… I know plenty of people who would be lost without WinBox.

  4. dleech
    May 15th, 2012 at 02:52 | #4

    i Have problem about this, can someone explain to me …
    what should i do ..

    Traceback (most recent call last):
    File “mkDl.py”, line 225, in
    s.connect((mikrotikIP, 8291))
    File “C:\Python27\lib\socket.py”, line 224, in meth
    return getattr(self._sock,name)(*args)
    socket.error: [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed bec
    ause connected host has failed to respond

  5. PoURaN
    May 21st, 2012 at 09:03 | #5

    @dleech
    can you please tell us how do you run the script? Is the remote IP a mikrotik router?

  6. d4taps
    May 21st, 2012 at 21:09 | #6

    What do I do in the files (( DLL ))

    How do I see the information inside it ?!

  7. PoURaN
    May 21st, 2012 at 23:06 | #7

    @d4taps
    you don’t need to.. they are the original DLLs as they are provided by mikrotik router v5.14.. If you wanna see them you have to remove the two 0xFF 0xFF bytes in every 0×101 bytes inside every DLL.. (that’s the format, that winbox wants to “see” the receiving file) if you see the script’s source you’ll find out.. ;)

  8. Masoud
    June 8th, 2012 at 08:40 | #8

    how can i hack a Mikrotik Router?
    i want to hack isp mikrotik and find user & pw of mikrotik.

  9. GOomile
    July 5th, 2012 at 18:57 | #9

    connection reseted by server… :(

  10. RBA
    July 21st, 2012 at 03:55 | #10

    same problem..connection reseted by server…

  11. kambiz
    September 3rd, 2012 at 11:10 | #11

    i have problem with runnig the script
    when I run this command: C:\mkD1\python mkD1.py

    I receive this error:

    File “mkD1.py”,line 75
    print “[+] Index received!”

    SyntaxError: invalid syntax
    would you please help me with it?

  12. PoURaN
    September 3rd, 2012 at 11:20 | #12

    @kambiz
    Hey kambiz,
    tell me exactly what you do.. I am just testing it again doing:
    C:\Python27>python mkD1.py 10.10.10.1 roteros.dll 1

    and works fine… and also for DoS attack:

    C:\Python27>python mkD1.py 10.10.10.1 DoS

  13. kambiz
    September 3rd, 2012 at 13:09 | #13

    I’ve solved the problem.the problem occurred because the script syntax belongs to python version2 but the python I installed is version3.so I convert it to version3 by using 2to3.py in python.
    now i have another problem. when i run this:

    c:\Python32>python mkDl.py (mikrotik ip) * 7

    I receive this error:

    [Winbox plugin downloader]

    Traceback (most recent call last):
    File “mkDl.py”, line 226, in
    s.send(winboxStringIndex)
    TypeError: ‘str’ dose not support the buffer interface.

    would you please help me with it?

  14. PoURaN
    September 3rd, 2012 at 14:15 | #14

    @kambiz
    I can’t install python 32 atm to check it.. but i see in line 226 has s.send(winboxStartingIndex) and not s.send(winboxStringIndex)

  15. kambiz
    September 3rd, 2012 at 18:41 | #15

    yes I made a mistake while typing
    as you said it is: s.send(winboxStartingIndex)

  16. kambiz
    September 4th, 2012 at 09:36 | #16

    the problem is solved by installing python27.
    I have another question.is there any way or any exploit to download the backup files from mikrotik?

  17. PoURaN
    September 4th, 2012 at 11:36 | #17

    @kambiz
    No, only from winbox

  18. September 26th, 2012 at 10:27 | #18

    HEY , ADMIN,
    can I get users with this method?

  19. De@th
    October 3rd, 2012 at 10:57 | #19

    It worked fine but still have a question.
    isn’t their any way to get mikrotik password or those DLL file this script download contain router password.

    • PoURaN
      October 3rd, 2012 at 13:01 | #20

      no you can’t do it with this method.. and inside dll there is no info like that.. You can just grab the admin’s saved winbox passwords (if there are any) using the command execution exploit and a mac spoofing method BUT you must be in the same Lan as the victim OR you can social him, so you don’t need same lan and mac sppofing … :P

  20. Ghacker2012
    October 12th, 2012 at 01:45 | #21

    what i want to do is exactly what u have just said “You can just grab

    the admin’s saved winbox passwords (if there are any)” . iam on the

    same lan . please can you explain it for me how to grab password for

    admin from saved password and how can i make this “command execution

    exploit and a mac spoofing method ” , please help me in this

  21. Ghacker
    October 12th, 2012 at 17:20 | #22

    @PoURaN
    41.35.44.57

  22. hi
    October 29th, 2012 at 11:24 | #23

    thanks PoURaN for this great info i don’t think that i will find it any where and i have 3 questions :
    1st how can i get the backup of mikrotik or the other info like user name isn’t the dll files that we downloaded contain all the infos?

    2nd how do i use the dll files to extract the info on it like ppp and any others.

    3rd.what mac do i have to spoof the admin pc lan or the mikrotik or any one on who connected to the mikrotic.

  23. PoURaN
    October 29th, 2012 at 12:59 | #24

    @hi
    Hello, concerning your questions:
    1) no you can’t.. and no the DLLs don’t contain any infos about users/backups.. they just contain functions in order to make winbox.exe work for the specific mikrotik version.
    2) you can’t.. look 1) :p
    3) mac spoofing can be done where you are in the same LAN with your victim (in this case your victim is the mikrotik admin).. search more about mac spoofing..

  24. hi
    November 1st, 2012 at 21:00 | #25

    thanks PoURaN again for ur answering
    you said “You can just grab the admin’s saved winbox passwords (if there are any) using the command execution exploit and a mac spoofing method ”
    i know how to spoof the mac address but what do u mean about command execution exploit what is this and can u tell me in details because it’s almost a year and iam trying how to hack the mikrotik to get the user and pass :)

  25. hi
    November 4th, 2012 at 20:24 | #26

    at least can u tell me how to get the the command execution exploit do i need the a backtrack?

  26. PoURaN
    November 5th, 2012 at 01:27 | #27

    @hi
    Hey man.. I was a bit busy that’s why I was late in reply.. So.. By saying remote code execution exploit, I mean this one.. http://www.133tsec.com/2012/04/27/0day-mikrotik-winbox-client-side-attack-a-remote-code-execution-exploit/
    Watch and understand the video I made there.. To execute code to your victim, you have to do it 1) even by social.. (talk to him and ask him to connect to yor malicious mtik emulator) 2) by spoofing his router and force him to connect to you instead of his router (mac spoofing – same LAN)
    For how to make a malicious emulator for mtik watch the vid of the exploit i told you earlier..
    cya

  27. hi
    November 7th, 2012 at 07:34 | #28

    thanks m8 i will
    c u

  28. insane
    January 18th, 2013 at 13:14 | #29

    I think is a goood ideea to write a script that is honeyspot for mikrotik to collect user/pass and the spoof router`s mac.

  29. Joca
    January 29th, 2013 at 02:56 | #30

    Not Working on 6.0rc6

  1. No trackbacks yet.


five + = 13